[Pkg-samba-maint] Bug#866823: Bug#866823: Bug#866823: samba: does not follow symbolic links

Mon Nov 23 10:33:15 GMT 2020

I'm sorry, with snippets of smb.conf and vague references to a feature
that is on by default (follow symlinks = yes is the default), it is
really hard to know what exactly was working that is not working any
more.

Also, upstream bugzilla.samba.org is probably a better place to raise
concerns, nobody (else) here develops the code (and I do the AD DC) so
it becomes message-passing at best.

When you are there, explain in painful detail exactly what did work,
the smb.conf used in the past, and what now fails to work, including
the full FS layout information.

Andrew Bartlett

On Mon, 2020-11-23 at 15:45 +0530, Ritesh Raj Sarraf wrote:
> On Mon, 2020-11-23 at 10:12 +0100, Mathieu Parent wrote:
> > > The (insecure) workaround mentioned in this bug report, that of:
> > > 
> > > # For symlink hack
> > >     wide links = yes
> > >     allow insecure wide links  = yes
> > > 
> > > 
> > > makes it work again.
> > 
> > Do you have path=/ ?
> > 
> 
> No. What I have is below.
> 
> rrs at chutzpah:/var/log/samba$ grep path /etc/samba/smb.conf 
> ;   logon path = \\%N\profiles\%U
> #   logon path = \\%N\%U\profile
>    path = /media/rrs/EXDATA
>    path = /media/rrs/4TBWD
>    path = /media/rrs/4TBWD
>    path = /home/rrs/Trans/
> ;   path = /home/samba/netlogon
> # users profiles (see the "logon path" option above)
> # The path below should be writable by all users so that their
> ;   path = /home/samba/profiles
>    path = /var/spool/samba
>    path = /var/lib/samba/printers
> 15:40 ♒♒♒   ☺    
> 
> 
> > Also, from the 4.13 WHATSNEW.txt:
> > 
> > > wide links functionality
> > > ------------------------
> > > 
> > > For this release, the code implementing the insecure "wide links
> > > =
> > > yes"
> > > functionality has been moved out of the core smbd code and into a
> > > separate
> > > VFS module, vfs_widelinks. Currently this vfs module is
> > > implicitly
> > > loaded
> > > by smbd as the last but one module before vfs_default if "wide
> > > links = yes"
> > > is enabled on the share (note, the existing restrictions on
> > > enabling wide
> > > links around the SMB1 "unix extensions" and the "allow insecure
> > > wide links"
> > > parameters are still in force). The implicit loading was done to
> > > allow
> > > existing users of "wide links = yes" to keep this functionality
> > > without
> > > having to make a change to existing working smb.conf files.
> > > 
> > > Please note that the Samba developers recommend changing any
> > > Samba
> > > installations that currently use "wide links = yes" to use bind
> > > mounts
> > > as soon as possible, as "wide links = yes" is an inherently
> > > insecure
> > > configuration which we would like to remove from Samba. Moving
> > > the
> > > feature into a VFS module allows this to be done in a cleaner way
> > > in future.
> > > 
> > > A future release to be determined will remove this implicit
> > > linkage,
> > > causing administrators who need this functionality to have to
> > > explicitly
> > > add the vfs_widelinks module into the "vfs objects =" parameter
> > > lists.
> > > The release notes will be updated to note this change when it
> > > occurs.
> > 
> > Can't you use bind mounts?
> 
> I only enabled " wide links = yes" today, when I noticed that the
> upgrade has cause my shares to be inaccessible, for the symlink
> folders.
> 
> I would rather prefer to not use "wide links = yes" at all and
> instead
> just be able to use symlinks feature, with say, something like the
> below which had been working until the last upgrade.
> 
> [EXDATA]
>    comment = EXDATA
>    browseable = yes
>    follow symlinks = yes
>    read only = no
>    create mask = 0770
>    directory mask = 0770
>    path = /media/rrs/EXDATA
> 
> 
> 
> _______________________________________________
> Pkg-samba-maint mailing list
> Pkg-samba-maint at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-samba-maint
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba